Subject: Issues with Windows 2000 Encrypting File System and Disk
Wipe
TO: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>
Microsoft has released a new tool to address issues with Encrypting
File System under Windows 2000 found by Colman Communications Consulting.
Disclaimer
The information contained within this advisory is provided as is
with no warranty of fitness implied or otherwise. By making use
of the information you agree to do so entirely at your own risk
and indemnify Colman Communications Consulting Pty Ltd against any
damage which may result.
Synopsis
The vulnerabilities present in EFS are summarised thus:
1. Files which are moved into an encrypted folder, or are present
as plain text prior to a directory being encrypted, have a plain
text copy made. In addition plain text fragments of the original
will also persist.
2. Third party disk wipe products do not effectively "zero"
unused disk space under Windows 2000.
Additional information and advice on how to mitigate these risks
is provided
below.
Plain Text Copies
When files which were previously in plain text are encrypted using
EFS, either by encrypting the file or the directory the file is
in, or by moving the file into a directory with EFS applied, a plain-text
(as distinct from cipher-text) copy of the file is made on the disk.
In addition to this plain-text fragments of the original file may
also persist.
In the case of the plain text copy this occurs because Windows
2000 takes a temporary backup copy of the file prior to encryption
to ensure that it can recover the file should a system error occur
whilst the file is being encrypted. In terms of the file fragments
this is simply a reflection of the standard operation of most operating
systems where "deleted" files are not actually overwritten,
but simply de-allocated.
Depending on the usage of the system this presents the possibility
that the plain text copy and plain text fragments of the original
file could persist on the system's disk until such time as the system
has a need for the space and overwrites the data contained there.
Access to the plain text copy or fragments could be achieved by
anyone who is able to obtain physical access to the disk, and can
mount the disk into another system. Access to the plain text copy
could also be achieved by an "Administrator" who is able
to load a device driver to speak directly to the disk.
When EFS is used in the recommended manner, that is files are only
created inside folders with EFS enabled the problem of plain-text
copies and fragments does not occur.
Organisations that are using EFS to help mitigate the risk of physical
security of systems should be aware of this issue and act in accordance
with the recommended mode of operation, and our advice below.
Disk Wipe Products Fail To Wipe Disk The issue described above
is compounded by the fact that most third party disk wipe products
do not wipe the disks of Windows 2000 systems.
This effectively means that users are unable to clear plain text
copies of files they thought were encrypted, as well other material
they thought they had deleted, by using disk wipe products.
Organisations that are making use of disk wipe products to manage
risks related to "deleted" data under Windows 2000 should
be aware of this issue and act in accordance with our advice below,
and that provided by Microsoft.
Advice on Mitigating Risk
Colman Communications Consulting has worked with Microsoft to have
these issues addressed. This work has resulted in a commitment from
Microsoft to place emphasis the behaviour of EFS and writing a tool
which can be used to wipe unused disk space on Windows 2000 systems.
If you are using EFS then you should ensure that:
- Your users are educated on the correct manner of operating EFS
so as to prevent the proliferation of plain text copies.
- You install and run the cipher.exe tool on your systems to ensure
that any plain text copies and other sensitive "deleted"
information is zeroed.
The new version of cipher.exe along with install instructions was
orginally posted at:
http://www.microsoft.com/technet/security/cipher.asp
At the time of posting this page is temporarily unavailable due
to a revamp of the Microsoft Technet Area. However, the related
Microsoft Knowledge
Base Article can be found at:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP
|